SSL_read error on multiple simultaneous upstream SSL downloads

Maxim Dounin mdounin at
Mon Oct 21 20:00:36 UTC 2013


On Mon, Oct 21, 2013 at 11:57:34AM -0700, Piotr Sikora wrote:

> Hey,
> > Looks like a regression in OpenSSL 1.0.0+.  I'm able to reporduce
> > the problem with OpenSSL 1.0.0 and more recent versions, including
> > recent git snapshot, but everything is fine with OpenSSL 0.9.8y
> > and previous versions.
> >
> > Bisection on OpenSSL 1.0.0 branch may be a helpful to trace the
> > exact cause.
> I've looked a bit into this over the weekend and it seems that it's
> being triggered by use of both: reading ahead and releasing buffers
> (introduced in OpenSSL-1.0.0, hence the regression) on the client side
> with upstream buffering off (I wasn't able to reproduce it with
> upstream buffering on, but that might be just because it's harder to
> trigger, as OpenSSL code path is effectively the same in both cases).
> I don't think that we're affected on the server side (which would
> actually suggest nginx bug), so the work-around for the issue (at
> least for the time being) is to stop releasing buffers when nginx acts
> as a client. I'm a bit tempted to do it only for the case with
> buffering turned off, but from looking at the code I can't tell why it
> would make a difference.

While I tend to think that the problem is indeed related to 
SSL_MODE_RELEASE_BUFFERS I don't see any reasons why the server 
side shouldn't be affected.  Could you please point out why you 
think so?

In any case I don't think we should commit any workarounds before 
the problem is at least understood.  Trivial mitigation for the 
errors observed so far would be to switch proxy_buffering back to 
on, as by default, and/or use larger buffers.

Maxim Dounin

More information about the nginx-devel mailing list